Microsoft's Security Development Process Under CC License 164
An anonymous reader writes "The H Online writes: 'Microsoft has placed its process for secure software development under a Creative Commons License. The company hopes that this will lead to more developers utilising its process for programming software more securely across the entire product lifecycle ...'"
Re:secure? (Score:2, Interesting)
Re:Oh boy... (Score:5, Interesting)
I think it's simpler than that.
Windows can be very heavily locked down so end-users can literally do nothing more than that which is explicitly made available to them. Heck, with something like SteadyState, it can even roll back any changes with a simple reboot.
But far too many third party developers seem to actively go out of their way to break any security - they seem to have some sort of mental block understanding that the assumptions you make when you're designing an application which will run on a system which you can more or less guarantee will only ever have one person using it (and that person has no realistic hope of screwing it up badly simply because there's so little to screw up) simply do not work on a modern multi-user, multi-tasking networked operating system.
I've lost count of the number of applications - and these aren't crappy things you find on download.com, they're expensive commercial products that are intended to have multiple users - that explicitly expect the end-user to have local admin rights and their first support response is "Does the user have admin rights? No? Go away and come back when they do. I don't care if you can explicitly prove that this isn't the issue here...".
Secure from *what*? (Score:2, Interesting)
Secure from cracking, or secure from competition?
Because, at least prior to Bush's Justice Department dropping all charges against Microsoft, the secound would be a pretty long list of felonies.
The Problem is... (Score:2, Interesting)
Companies that run these operating systems and other software do not think of security at all. They just assume that everything's fine. Home users are even worse. That attitude will also have to change for things to get better.
Re:Oh boy... (Score:3, Interesting)
Pretty sure you have no idea about Unix internals vs NT internals. UNIX doesn't have ACL security.
So, the "Unix internals vs NT internals" is resumed as UNIX not having ACL security?
Pfffff.. Yeah, looks like you know a lot more on the subject.
WRONG. Unlike windows, which only supports ONE ACL scheme which is builtin, the most variety of UNIXes out there supports complex ACL mechanisms through a modular design or patches. Windows ACLs are also very basic compared to the full access control provided by SELinux.
Keywords: SELinux, GRSecurity, FS extended attributes, PAM, ...
Now go back under the rock you came from.
Re:Oh boy... (Score:2, Interesting)
Wow, not just did you ignore most of the text in the advisory, but you dont know anything about how malware works either, do you? Gee, adding things to the startup folder/registry means it might take what... two boots? to fully infect a machine with a piece of malware that has then gained full privileges? I've watched (on both Windows 7 and Vista) malware initiate itself using svchost and smss to, with admin privileges, install themselves with the same privileges. All it took, on a locked down machine, was a couple reboots. So yeah, kernel mode drivers and full access may be worse, but in the end, it doesnt matter. The end results are the same.
Re:Oh boy... (Score:3, Interesting)
WTF are you prattling on about? .NET insecure? Seriously? Do you even know what you're talking about? You are making vague claims that make little sense. Like calling the Firefox plug-in a security flaw.. It's using the mechanism that Firefox provided for machine wide-plugins. Firefox has since improved on that, but it wasn't MS's fault nor was it a security flaw.
Please, point me to some evidence of any severe unpatched .net flaws or exploits. I don't know of any. I think you are confused and simply applying catchphrases you've heard and pretending you know what you're talking about.